Case study
Large-Scale KYC Remediation — A Major Post-Merger Backlog
Situation
A post-merger integration left the bank with a large backlog of unresolved customer records across multiple jurisdictions. Internal teams lacked both the capacity and the specialist knowledge to clear it at the required standard.
Risk exposure
Live financial crime risk from stale CDD: unknown material changes in customer risk profiles, and unverified PEP and sanctions status across a large population that had effectively gone unmonitored through the integration.
Before & after — the numbers
Post-merger integrations create financial crime risk at scale, quietly. As two books combine, customer records fall between the cracks of two operating models, CDD goes stale, and a backlog accumulates that neither legacy team owns. This bank emerged from its integration with a large, multi-jurisdictional backlog of unresolved customer records — and internal teams who had neither the capacity nor the specialist knowledge to clear them at a defensible standard.
The exposure was not theoretical. Behind a large backlog of stale CDD sat unknown material changes in customer risk profiles and unverified PEP and sanctions status — live risk on a population that had effectively gone unmonitored.
Design first, deploy second
The instinct with a backlog this size is to add people. We did the opposite first: within 30 days we delivered the programme design — a risk-tiered segmentation of the entire population, standardised file templates, decision logic, quality gates and escalation pathways. Effort was aimed at risk, so high-risk and EDD-eligible customers were triaged first rather than the population being worked in arbitrary order.
Scale through a blended model under one standard
CCL led the design, risk-tiering, quality assurance and governance, and integrated delivery resource to execute file completion at volume — all under a single quality framework. Independent QA tested whether risk was correctly identified and addressed, not merely whether files looked complete, keeping the standard intact as throughput rose. This is the delivery model in practice: specialist-led design and assurance, scaled execution beneath it.
MI the regulator could read
From the first delivery sprint, weekly MI packs went to ExCo and the MLRO: completion rates, EDD escalations, SAR triggers and ageing. The MI was built for the supervisory question — what was the risk, what did you do, how do you know it worked — so the programme was defensible while it ran, not just when it finished.
The outcome, and what was left behind
The programme reached 94% completion in 8 months with zero enforcement actions. As important as the cleared backlog was the handover: a perpetual-KYC operating model — event-driven triggers and a risk-based review cycle — so the backlog could not silently rebuild. A remediation without a sustainable BAU model is a temporary fix; this was built to hold.
Regulator-facing outputs
- Programme design and risk-tiered segmentation
- Standardised file templates, decision logic and quality gates
- Weekly MI packs to ExCo and the MLRO
- Perpetual-KYC operating model for BAU handover
Capabilities involved
The services behind this work
KYC Remediation at Scale
Structured remediation programmes from 10,000 to 500,000+ customers — triage, risk-tiering, file completion, MI tracking and regulator-ready outputs.
Explore serviceIndependent QA & Second-Line Challenge
Independent quality assurance and second-line challenge of remediation, CDD files and control frameworks — the credible, conflict-free check before the regulator provides one.
Explore serviceSpeak to the practice
Before it becomes a regulatory finding, make it a closed action.
A short, confidential advisory call to pressure-test where your KYC, AML, sanctions or risk-classification framework is exposed — and what a defensible fix looks like.